-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove NuGet dependencies version upper limits #4642
Remove NuGet dependencies version upper limits #4642
Conversation
Upper limits for Asp.Net Core 2.x dependencies should not be removed. 2.2 is deprecated while 2.1 is the only supported version which will receive security updates. Upper limits are introduced in #4561 for this reason. |
@olegd-superoffice, #4561 does nothing to prevent the user from targeting those versions. It can still be forced. The same would apply to .NET 3.1 and .NET 5.0. |
Preventing the user of using anything was not the purpose of that PR. The purpose was to change versions of |
The effective change to the dependency was changing 2.2.0 to 2.1.x and not setting an upper limit. If that could be a really issue, |
Having upper limit just makes it explicit, Either way comment in |
It does nothing of the sort. The source code will only use one specific version and it can't target a incompatible runtime. The end user can still force it in a number of ways. |
Nothing of which sort? The end user cannot force anything about dlls bundled inside |
And nothing on the dependency version declaration changes that. But that's not the case with NSwag.Commands. The package does not ship with the dependencies. Only declares the references. |
So what does removing upper limit achieve here? As you said, end user can override it if they want. But having upper limit prevents end user from using unsupported library versions accidentally. Especially for people who are using paket for dependency management which would just update everything to the latest version on |
Because I don't use paket I forgot about that. But I expect this package to not be the only one to cause issues. I'd need a binlog to analyze that. |
I would also highly welcome this change. We updated to net8 and this package is now causing build warnings for our build. e.g.
I see the point that you want to prevent accidental issues with too new versions. But like @paulomorgado mentioned, it is also the only package for us which does this and causes the issue. Also with the |
@Lyra2108 I'm only talking about |
@olegd-superoffice, can you provide a minimal exemple of how this is an issue for you? |
It is not an issue for me. Because I'm already very familiar with the versioning mess created by Microsoft with I have already described how it can be an issue for someone using paket. Here's a simple script to reproduce it:
This will use current release version of |
The source https://api.nuget.org/v3/index.json
storage: none
nuget
NSwag.Commands And got this error: dotnet paket update
Paket version 8.0.0+6bcb14ec191f11e984ff0e58016f5987a5cfa8f6
Total time taken: 0 milliseconds
Paket failed with
-> Error in paket.dependencies line 4
could not retrieve NuGet package from I tried with dotnet new classlib -f netstandard2.0
dotnet add package NSwag.Commands
dotnet build And got a dependency of Microsoft.AspNetCore/2.1.7: sls -path .\bin\Debug\netstandard2.0\nuget.deps.json -s -patt '"Microsoft.AspNetCore/'
D:\Temp\Projects\nswag#4642\nuget\bin\Debug\netstandard2.0\nuget.deps.json:34: "Microsoft.AspNetCore/2.1.7": {
D:\Temp\Projects\nswag#4642\nuget\bin\Debug\netstandard2.0\nuget.deps.json:2034: "Microsoft.AspNetCore/2.1.7": {
D:\Temp\Projects\nswag#4642\nuget\bin\Debug\netstandard2.0\nuget.deps.json:2038: "path": "microsoft.aspnetcore/2.1.7", However I can force it to reference Microsoft.AspNetCore/2.2.0, even though it's outside the interval: dotnet add package Microsoft.AspNetCore --version 2.2.0
dotnet build Now it uses 2.2.0: sls -path .\bin\Debug\netstandard2.0\nuget.deps.json -s -patt '"Microsoft.AspNetCore/'
D:\Temp\Projects\nswag#4642\nuget\bin\Debug\netstandard2.0\nuget.deps.json:34: "Microsoft.AspNetCore/2.2.0": {
D:\Temp\Projects\nswag#4642\nuget\bin\Debug\netstandard2.0\nuget.deps.json:2034: "Microsoft.AspNetCore/2.2.0": {
D:\Temp\Projects\nswag#4642\nuget\bin\Debug\netstandard2.0\nuget.deps.json:2038: "path": "microsoft.aspnetcore/2.2.0", paket chooses to make its own interpretation of how NuGet should work and it's paket's responsability to make it work. |
Are you getting new line in
Also, you can replace target framework in generated |
That's what
That will cause errors with You can use |
Hi, any idea when this fix could be released? |
No, I just tested it. No errors here.
Thanks, I already know how to pin dependencies versions, but my point is that the defaults should be safe to use and that's what upper limit provides here. But can you provide a minimal example of how this existing upper limit is an issue for you? |
Setting upper version limits is for when the referencing library does not work with versions above a specific version, which is not the case. It has nothing to do with supportability of the dependencies. As far as I know, the whole NuGet system was built on the premise that each package should reference the lowest dependencies that match the usage. Upper limits are in place because there might be breaking changes in the dependencies. Paket, on the other end, chose to opt for the highiest version, knowing the issues that would bring. I'll leave the final decision to @RicoSuter . |
This is just your opinion, but there are other opinions what upper limit is for. For example Microsoft Kiota developers use different approach. Anyway, you cannot provide any example of how this limit on .NET 4 is an issue for you? |
@Lyra2108 BTW, can you try the latest preview of NSwag v14 (14.0.0-preview012 as of today) and see if you still have this warning? |
Well... Yes, the warnings are fixed with the latest preview... But I need to do a lot of commented out lines to not have build errors any more and for some e.g. the TypeMappers I could not see quick replacements. So I will need an update guide and quite some time to really use the v14. Therefore, an update for the v13 would be preferred. |
@Lyra2108 all these settings are now under SchemaSettings and not on the generator settings itself anymore, should be quick to fix. |
Thanks, that was simpler and faster to get running then expected. :) I am happy to wait for the v14 Release. |
@RicoSuter, because it's a, somewhat, unexpected breaking change, this could be attributed as obsolete with warning and proxied for the new API. In a few releases, it should be an error and removed only on version 15. I can submit a PR for that. |
@paulomorgado what do you mean? |
@RicoSuter, I just created #4648 for discussion. |
Some packages have upper version limits on some of the dependencies which result in NU1608 warnings.
Since this does not prevent the usage of upper version packages, this PR removes that limitation.
Closes #4638